Saturday, March 24, 2018
logo economy journal
< view full issue: Cibersecurity
Luis Corrons

​Who is behind cyberattacks?

Director of Panda Security

Cyberattacks are the order of the day, increasingly they grab more headlines and have an actual impact on the economy and our lives. When trying to figure out who is behind the attacks, it is best to start with a cuiprodest, who benefits from them?


Cybercrime is quite an attractive and lucrative business. Attackers increasingly rely on more and better resources -both technical and economic- allowing them to develop increasingly sophisticated attacks. 

This is what explains why there are more robberies and extortions carried out on commercial premises, bank branches and all kinds of business than ever before, with a peculiarity: now the attackers can be thousands of miles away without ever having come within reach of their victims.

A company has hundreds, thousands of computers on their networks, to which has to be added all kinds of connected devices: printers, IP cameras, mobile devices... and they all have to be protected. However, an attacker only has to compromise one of them once to succeed. It is not necessary for the attacked computer to have access to the information or resources that the cybercriminals go for, since they will simply use it as a starting point. They will use sideways movements on the corporate network until they find the information that interests them, or find the system that they want to sabotage.

The malware and computer security landscape has undergone a major change in terms of volume and sophistication. At present, in just a few hours more malware copies are created than during the entire last decade of the 20th century. 

New techniques for penetrating defences and hiding malware are allowing threats to remain on corporate networks for long periods.

All this results in more complex and dynamic threats, in addition to a greater number of attacks. Just about anyone can launch an advanced attack thanks to the democratization of technology, the black market and open-source tools. As a consequence, each and every company will become the target of advanced attacks, we need to take this fact into account to start working on effective security policies and actions. Having the mechanisms to detect, block and remedy any type of advanced threat can safeguard the coffers and the reputation of organisations.

Almost all of these crimes have an economic basis: it is all done for money. The attackers will go for the victims who bring in profits. This is why we have to put into place all possible measures to complicate and hinder the arrival at the target, so that it ceases to be productive. 

In most cases, if an attack becomes complex and they fail to reach their final goal, they will choose to go after a different target with a better return on investment for them.

To give us an idea of the complexity of the attacks, 62% of the security breaches that have taken place in companies have used hacking techniques. Moreover, in only 51% of cases did the attackers use malware. In the rest, they used other tools against which most companies are not protected.

In the case of cyberattacks, it is quite significant to gather forensic information about them, so that we can take the necessary measures in full knowledge of what we are facing. Thus we can find out where they came from, what techniques they used, what movements they made, what they have done, how they evaded defences, and so on.


While most attacks have an economic objective, there are also other cases where there are clearly different motivations. We have seen a clear case this year with the attack on companies with offices in Ukraine through thePetya/Goldeneye attacks, with a clearly political motive, and where the Ukrainian government itself openly accused the Russian government of being behind it.

But this is not a case in point. We are in the midst of an arms race in cyberspace, nations are creating cybercommandos as they know that it is key, not only as a method of attack, but they need to immediately reinforce their defences against any attack on companies or infrastructure of national interest. 

President Obama's cybersecurity plan urged their successor to train 100,000 new computer security experts by 2020.


We estimate that by the end of 2017, the business of cybercrime will be valued at 1.95 trillion Euros. To put this into perspective, this figure is higher than the GDP of any of the countries belonging to the Euro area, with the exception of Germany and France. Although the means used by the security forces dedicated to prosecuting these crimes are growing, and there is increasing international cooperation, most crimes still go unpunished. If we add that it is increasingly easier to access the tools and information that facilitate carrying out such attacks, the conclusion is obvious: there will be more attacks.

Therefore, it is clear that during 2018 we will have to face a more dangerous environment, with more risks than ever before, which will definitely force us to change our mentality and strategy to achieve the highest levels of security and protect our assets. Going for malware only partially protects us, as we are entering a time when security strategy starts out by not trusting anyone. Any new process that wants to run on any of our network devices has to be pre-approved, and those that we trust will still need to be closely monitored to detect any abnormal behaviour in the shortest time possible.

Cases like WannaCry or Equifax exhibition us that security updates should priority processes within all companies. Every day that we do not apply a patch to vulnerable system, we are putting at risk both the reputation of the company, the integrity of our information and that of our customers and suppliers, and even putting at risk production that might incur losing millions. As a minor example, AP Moller- Maersk was one of the victims of the NotPetya/Goldeneye attack, and estimates that the company's losses due to this particular attack was around 200-300 million dollars.

We have to be prepared for the worst, and countries are increasingly investing in both defensive and offensive capabilities , with the focus on critical infrastructures. Being able to launch an attack remotely that causes a blackout is not a theory, we have seen it in practice in the Ukraine and could happen in any country in the world. What is worse, knowledge of different tools used to perpetrate these attacks makes it increasingly feasible for groups with more limited funding than those sponsored by states to carry out similar actions, against specific targets. We also know that terrorist groups, like ISIS, are willing to use every means at their disposal to cause terror.

Luis Corrons has been working in the security sector since 1999, the year in which he began his professional career in Panda Security. In 2002, he was appointed Director of PandaLabs, the company's malware research laboratory, as well as coordinator of alerts in situations of malware infection worldwide. Since 2007, as Technical Director of PandaLabs, he has coordinated numerous projects related to malware analysis, and has collaborated in operations carried out by security bodies, both nationally and internationally. Luis Corrons is a WildList collaborator and member of the committee address of MUTE (Malicious URLs Tracking and Exchange). He is a well-known speaker at the most important security conferences, such as RSA, Virus Bulletin, HackInTheBox, AVAR, Security BSides, etc.



Ronda Universitat 12, 7ª Planta -08007 Barcelona
Tlf (34) 93 301 05 12
Inscrita en el Registro Mercantil de Barcelona al tomo 39.480,
folio 12, hoja B347324, Inscripcion 1



Ronda Universitat 12, 7ª Planta -08007 Barcelona
Tlf (34) 93 301 05 12
Inscrita en el Registro Mercantil de Barcelona al tomo 39.480,
folio 12, hoja B347324, Inscripcion 1